apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: exporter
    app.kubernetes.io/name: kube-state-metrics
    app.kubernetes.io/part-of: kube-prometheus
    app.kubernetes.io/version: {{ kube_state_metrics_tag | replace("v", "") }}
  name: kube-state-metrics
  namespace: kubesphere-monitoring-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/component: exporter
      app.kubernetes.io/name: kube-state-metrics
      app.kubernetes.io/part-of: kube-prometheus
  template:
    metadata:
      labels:
        app.kubernetes.io/component: exporter
        app.kubernetes.io/name: kube-state-metrics
        app.kubernetes.io/part-of: kube-prometheus
        app.kubernetes.io/version: {{ kube_state_metrics_tag | replace("v", "") }}
    spec:
      volumes:
      - name: host-time
        hostPath:
          path: /etc/localtime
          type: ""
      containers:
      - args:
        - --host=127.0.0.1
        - --port=8081
        - --telemetry-host=127.0.0.1
        - --telemetry-port=8082
        - --metric-denylist=kube_.+_version,kube_.+_created,kube_deployment_(spec_paused|spec_strategy_rollingupdate_.+),kube_endpoint_(info|address_.+),kube_job_(info|owner|spec_(parallelism|active_deadline_seconds)|status_(active|.+_time)),kube_cronjob_(info|status_.+|spec_.+),kube_namespace_(status_phase),kube_persistentvolume_(info|capacity_.+),kube_persistentvolumeclaim_(resource_.+|access_.+),kube_secret_(type),kube_service_(spec_.+|status_.+),kube_ingress_(info|path|tls),kube_replicaset_(status_.+|spec_.+|owner),kube_poddisruptionbudget_status_.+,kube_replicationcontroller_.+,kube_node_info,kube_(hpa|replicaset|replicationcontroller)_.+_generation
        - --metric-labels-allowlist=namespaces=[kubesphere.io/workspace],storageclasses=[storage.kubesphere.io/storagetype]
        image: {{ kube_state_metrics_repo }}:{{ kube_state_metrics_tag }}
        name: kube-state-metrics
        resources:
          limits:
            cpu: {{ monitoring.kube_state_metrics.resources.limits.cpu | default(monitoring.kube_state_metrics.limits.cpu) | default("1") }}
            memory: {{ monitoring.kube_state_metrics.resources.limits.memory | default(monitoring.kube_state_metrics.limits.memory) | default("8Gi") }}
          requests:
            cpu: {{ monitoring.kube_state_metrics.resources.requests.cpu | default(monitoring.kube_state_metrics.requests.cpu) | default("100m") }}
            memory: {{ monitoring.kube_state_metrics.resources.requests.memory | default(monitoring.kube_state_metrics.requests.memory) | default("150Mi") }}
        securityContext:
          runAsUser: 65534
        volumeMounts:
        - name: host-time
          mountPath: /etc/localtime
          readOnly: true
      - args:
        - --logtostderr
        - --secure-listen-address=:8443
        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - --upstream=http://127.0.0.1:8081/
        image: {{ kube_rbac_proxy_repo }}:{{ kube_rbac_proxy_tag }}
        name: kube-rbac-proxy-main
        resources:
          limits:
            cpu: {{ monitoring.kube_rbac_proxy.resources.limits.cpu | default(monitoring.kube_rbac_proxy.limits.cpu) | default("1") }}
            memory: {{ monitoring.kube_rbac_proxy.resources.limits.memory | default(monitoring.kube_rbac_proxy.limits.memory) | default("100Mi") }}
          requests:
            cpu: {{ monitoring.kube_rbac_proxy.resources.requests.cpu | default(monitoring.kube_rbac_proxy.requests.cpu) | default("10m") }}
            memory: {{ monitoring.kube_rbac_proxy.resources.requests.memory | default(monitoring.kube_rbac_proxy.requests.memory) | default("20Mi") }}
        ports:
        - containerPort: 8443
          name: https-main
        securityContext:
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
      - args:
        - --logtostderr
        - --secure-listen-address=:9443
        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - --upstream=http://127.0.0.1:8082/
        image: {{ kube_rbac_proxy_repo }}:{{ kube_rbac_proxy_tag }}
        name: kube-rbac-proxy-self
        resources:
          limits:
            cpu: {{ monitoring.kube_rbac_proxy.limits.cpu | default("1") }}
            memory: {{ monitoring.kube_rbac_proxy.limits.memory | default("100Mi") }}
          requests:
            cpu: {{ monitoring.kube_rbac_proxy.requests.cpu | default("10m") }}
            memory: {{ monitoring.kube_rbac_proxy.requests.memory| default("20Mi") }}
        ports:
        - containerPort: 9443
          name: https-self
        securityContext:
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
{% if monitoring.nodeSelector is defined and monitoring.nodeSelector is not none %}
      nodeSelector:
        {{ monitoring.nodeSelector | to_nice_yaml(indent=2) | indent(8) }}
{% elif nodeSelector is defined and nodeSelector is not none %}
      nodeSelector:
        {{ nodeSelector | to_nice_yaml(indent=2) | indent(8) }}
{% else %}
      nodeSelector:
        kubernetes.io/os: linux
{% endif %}
{% if monitoring.tolerations is defined and monitoring.tolerations is not none %}
      tolerations:
        {{ monitoring.tolerations | to_nice_yaml(indent=2) | indent(8) }}
{% elif tolerations is defined and tolerations is not none %}
      tolerations:
        {{ tolerations | to_nice_yaml(indent=2) | indent(8) }}
{% else %}
      tolerations: []
{% endif %}
{% if monitoring.affinity is defined and monitoring.affinity is not none %}
      affinity:
        {{  monitoring.affinity | to_nice_yaml(indent=2) | indent(8) }}
{% elif affinity is defined and affinity is not none %}
      affinity:
        {{ affinity | to_nice_yaml(indent=2) | indent(8) }}
{% else %}
      affinity: {}
{% endif %}
      serviceAccountName: kube-state-metrics
